former insurance agent was prosecuted for contravention of section 26(1) of the

Ordinance, and was fined accordingly.

6.18

In a complaint investigated by the Commissioner in 2007, an unsuccessful insurance

applicant complained to the Commissioner against an insurance company for retaining

the applicant’s personal data. During the investigation, it was revealed that the

insurance company did not have a specific retention policy and would retain the

personal data of unsuccessful applicants indefinitely. The Commissioner found that the

insurance company was in breach of DPP2(2). The Commissioner was of the view that

the optimal period for retention of personal data for unsuccessful insurance applications

with and without money transaction involved should be no more than seven and two

years respectively.

6.19

In another case,

3

a bank customer complained that the bank continued to retain

information about his bankruptcy (i.e. his name, HKID number, bankruptcy number and

date of the bankruptcy order) even though his bankruptcy had been discharged a long

time ago. According to the bank, its practice was to retain the said information supplied

by the Official Receiver’s Office (“ORO”) for ninety-nine years. ORO provided the

information to banks to remind them of their obligation under section 52 of the

Bankruptcy Ordinance, i.e. to inform the Official Receiver and the trustee of the

existence of deposits of an undischarged bankrupt. The reasons put forward by the bank

for retaining the information for ninety-nine years included that the information would be

used for the purpose of complying with requests that it might receive from the

Government or law enforcement agencies; for consideration of a credit facilities

application and for processing collection action related to the individual concerned.

The Commissioner did not accept that sufficient justifications existed as normally a

bankruptcy order should be discharged between four and eight years after

commencement of bankruptcy. It was also noted that the Hong Kong Monetary

Authority, the regulator of the banking industry, did not prescribe a retention period for

bankruptcy data. The bank was found to have contravened DPP2(2) and section 26(1).

Consequent to the Commissioner’s findings, the bank revised its policy and practice and

ceased keeping the bankruptcy data of its customers for longer than eight years.

6.20

The Commissioner is of the view that, for prudent business and good privacy practice,

data users should devise a clear privacy policy and practice to erase personal data

when its purpose of collection has been met to ensure compliance with DPP2(2).

4

For

instance, where biometric data, such as fingerprint data, of employees is collected for

recording attendance purpose, the data should be safely erased by the employer when

the employee in question leaves employment.

6.21

Sometimes, personal data may be kept longer than usual to comply with specific

requirements provided by statutes, code of practices or guidelines applicable to a

particular trade or industry. For example, in cases of suspected money laundering

activities, the banks are required to comply with the Anti-money Laundering and Counter

3

See Investigation Report No. R11-6121, available on the Website:

https://www.pcpd.org.hk/english/enforcement/commissioners_findings/investigation_reports/files/R11_6121_e.pdf

4

See

Guidance on Personal Data Erasure and Anonymisation

, available on the Website:

https://www.pcpd.org.hk//english/resources_centre/publications/files/erasure_e.pdf